Sailfish Crypto
API DocumentationCryptoPlugin Class
(Sailfish::Crypto::CryptoPlugin)Specifies an interface which provides a variety of cryptographic operations to clients which will be exposed via the Sailfish OS Crypto API. More...
| Header: | #include <Crypto/Plugins/extensionplugins.h> |
Public Types
| enum | EncryptionType { NoEncryption, SoftwareEncryption, TrustedExecutionSoftwareEncryption, SecurePeripheralEncryption } |
Public Functions
| CryptoPlugin() | |
| virtual | ~CryptoPlugin() |
| virtual Sailfish::Crypto::Result | calculateDigest(const QByteArray &data, Sailfish::Crypto::CryptoManager::SignaturePadding padding, Sailfish::Crypto::CryptoManager::DigestFunction digestFunction, const QVariantMap &customParameters, QByteArray *digest) = 0 |
| virtual bool | canStoreKeys() const = 0 |
| virtual Sailfish::Crypto::Result | decrypt(const QByteArray &data, const QByteArray &iv, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::BlockMode blockMode, Sailfish::Crypto::CryptoManager::EncryptionPadding padding, const QByteArray &authenticationData, const QByteArray &authenticationTag, const QVariantMap &customParameters, QByteArray *decrypted, Sailfish::Crypto::CryptoManager::VerificationStatus *verificationStatus) = 0 |
| virtual Sailfish::Crypto::Result | encrypt(const QByteArray &data, const QByteArray &iv, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::BlockMode blockMode, Sailfish::Crypto::CryptoManager::EncryptionPadding padding, const QByteArray &authenticationData, const QVariantMap &customParameters, QByteArray *encrypted, QByteArray *authenticationTag) = 0 |
| virtual Sailfish::Crypto::CryptoPlugin::EncryptionType | encryptionType() const = 0 |
| virtual Sailfish::Crypto::Result | finalizeCipherSession(quint64 clientId, const QByteArray &data, const QVariantMap &customParameters, quint32 cipherSessionToken, QByteArray *generatedData, Sailfish::Crypto::CryptoManager::VerificationStatus *verificationStatus) = 0 |
| virtual Sailfish::Crypto::Result | generateAndStoreKey(const Sailfish::Crypto::Key &keyTemplate, const Sailfish::Crypto::KeyPairGenerationParameters &kpgParams, const Sailfish::Crypto::KeyDerivationParameters &skdfParams, const QVariantMap &customParameters, Sailfish::Crypto::Key *keyMetadata) = 0 |
| virtual Sailfish::Crypto::Result | generateInitializationVector(Sailfish::Crypto::CryptoManager::Algorithm algorithm, Sailfish::Crypto::CryptoManager::BlockMode blockMode, int keySize, const QVariantMap &customParameters, QByteArray *generatedIV) = 0 |
| virtual Sailfish::Crypto::Result | generateKey(const Sailfish::Crypto::Key &keyTemplate, const Sailfish::Crypto::KeyPairGenerationParameters &kpgParams, const Sailfish::Crypto::KeyDerivationParameters &skdfParams, const QVariantMap &customParameters, Sailfish::Crypto::Key *key) = 0 |
| virtual Sailfish::Crypto::Result | generateRandomData(quint64 callerIdent, const QString &csprngEngineName, quint64 numberBytes, const QVariantMap &customParameters, QByteArray *randomData) = 0 |
| virtual Sailfish::Crypto::Result | importAndStoreKey(const QByteArray &data, const Sailfish::Crypto::Key &keyTemplate, const QByteArray &passphrase, const QVariantMap &customParameters, Sailfish::Crypto::Key *keyMetadata) = 0 |
| virtual Sailfish::Crypto::Result | importKey(const QByteArray &data, const QByteArray &passphrase, const QVariantMap &customParameters, Sailfish::Crypto::Key *importedKey) = 0 |
| virtual Sailfish::Crypto::Result | initializeCipherSession(quint64 clientId, const QByteArray &iv, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::Operation operation, Sailfish::Crypto::CryptoManager::BlockMode blockMode, Sailfish::Crypto::CryptoManager::EncryptionPadding encryptionPadding, Sailfish::Crypto::CryptoManager::SignaturePadding signaturePadding, Sailfish::Crypto::CryptoManager::DigestFunction digestFunction, const QVariantMap &customParameters, quint32 *cipherSessionToken) = 0 |
| virtual Sailfish::Crypto::Result | seedRandomDataGenerator(quint64 callerIdent, const QString &csprngEngineName, const QByteArray &seedData, double entropyEstimate, const QVariantMap &customParameters) = 0 |
| virtual Sailfish::Crypto::Result | sign(const QByteArray &data, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::SignaturePadding padding, Sailfish::Crypto::CryptoManager::DigestFunction digestFunction, const QVariantMap &customParameters, QByteArray *signature) = 0 |
| virtual Sailfish::Crypto::Result | storedKey(const Sailfish::Crypto::Key::Identifier &identifier, Sailfish::Crypto::Key::Components keyComponents, const QVariantMap &customParameters, Sailfish::Crypto::Key *key) = 0 |
| virtual Sailfish::Crypto::Result | storedKeyIdentifiers(const QString &collectionName, const QVariantMap &customParameters, QVector<Sailfish::Crypto::Key::Identifier> *identifiers) = 0 |
| virtual Sailfish::Crypto::Result | updateCipherSession(quint64 clientId, const QByteArray &data, const QVariantMap &customParameters, quint32 cipherSessionToken, QByteArray *generatedData) = 0 |
| virtual Sailfish::Crypto::Result | updateCipherSessionAuthentication(quint64 clientId, const QByteArray &authenticationData, const QVariantMap &customParameters, quint32 cipherSessionToken) = 0 |
| virtual Sailfish::Crypto::Result | verify(const QByteArray &signature, const QByteArray &data, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::SignaturePadding padding, Sailfish::Crypto::CryptoManager::DigestFunction digestFunction, const QVariantMap &customParameters, Sailfish::Crypto::CryptoManager::VerificationStatus *verificationStatus) = 0 |
Detailed Description
Specifies an interface which provides a variety of cryptographic operations to clients which will be exposed via the Sailfish OS Crypto API.
The CryptoPlugin type specifies an interface which provides encryption, decryption, signing, verification, key derivation, key pair generation, random data generation, and digest calculation.
The interface also includes methods related to key storage and retrieval, for those plugins which include external key storage capability (which offers the maximum security for stored keys as they need never be pulled into the secrets daemon process address space). Note that if a plugin implements these methods, it must also implement the Sailfish::Secrets::EncryptedStoragePlugin interface from the Sailfish OS Secrets Extension Plugin API. Any plugin which implements both of these interfaces is known as a Crypto Storage Plugin (for an example of such a plugin, please see the ExampleUsbTokenPlugin in the source tree).
Plugin implementers must be aware that the information reporting methods (encryptionType(), and canStoreKeys()) will be invoked from the main thread of the secrets daemon, while the various interface operation methods will be invoked from a separate thread. Plugins are loaded and plugin instances are constructed in the main thread.
In order to implement a Crypto extension plugin, plugin implementers should specify the following in their .pro file:
CONFIG += link_pkgconfig PKGCONFIG += sailfishcryptopluginapi
The CryptoPlugin class extends the Sailfish::Secrets::PluginBase abstract base class, and the sailfishcryptopluginapi pkgconfig file will entail a dependency upon sailfishsecretspluginapi and sailfishsecrets, as well as sailfishcrypto.
An example (skeleton) Crypto plugin without key storage capability may be found at: https://github.com/sailfishos/sailfish-secrets/tree/master/examples/plugins/examplecryptoplugin/
An example (skeleton) Crypto Storage plugin may be found at: https://github.com/sailfishos/sailfish-secrets/tree/master/examples/plugins/examplecryptostorageplugin/
Member Type Documentation
enum CryptoPlugin::EncryptionType
This enum defines the types of encryption capability which may be offered by plugins
| Constant | Value | Description |
|---|---|---|
Sailfish::Crypto::CryptoPlugin::NoEncryption | 0 | No encryption is performed |
Sailfish::Crypto::CryptoPlugin::SoftwareEncryption | 1 | Encryption is performed by "normal" rich execution environment application |
Sailfish::Crypto::CryptoPlugin::TrustedExecutionSoftwareEncryption | 2 | Encryption is performed by trusted execution environment (TEE) application |
Sailfish::Crypto::CryptoPlugin::SecurePeripheralEncryption | 3 | Encryption is performed by a secure element (SE) hardware peripheral via TEE application |
Member Function Documentation
CryptoPlugin::CryptoPlugin()
Construct a new CryptoPlugin instance
[virtual] CryptoPlugin::~CryptoPlugin()
Clean up any memory associated with the CryptoPlugin instance
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::calculateDigest(const QByteArray &data, Sailfish::Crypto::CryptoManager::SignaturePadding padding, Sailfish::Crypto::CryptoManager::DigestFunction digestFunction, const QVariantMap &customParameters, QByteArray *digest)
Calculates a digest of the input message data using the specified padding according to the specified digestFunction, and writes the result hash to the digest out-parameter.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
If the plugin does not support the specified digestFunction, it should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::DigestNotSupportedError.
If the plugin does not support the specified padding, it should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::SignaturePaddingNotSupportedError.
[pure virtual] bool CryptoPlugin::canStoreKeys() const
Returns true if the plugin can store keys
If the plugin either exposes some built-in keys (e.g. as in the case of a USB-token-backed plugin) or allows the creation and storage of new keys (e.g. as in the case of an online-service-backed plugin), it should return true from this method and also must implement the Sailfish::Secrets::EncryptedStoragePlugin interface.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::decrypt(const QByteArray &data, const QByteArray &iv, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::BlockMode blockMode, Sailfish::Crypto::CryptoManager::EncryptionPadding padding, const QByteArray &authenticationData, const QByteArray &authenticationTag, const QVariantMap &customParameters, QByteArray *decrypted, Sailfish::Crypto::CryptoManager::VerificationStatus *verificationStatus)
Decrypt the input data given an initialization vector iv using the specified key and (if applicable) blockMode and padding, and write the decrypted data to the out-parameter decrypted.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
If the specified blockMode is an authenticated mode (such as GCM) then the client should also have provided authenticationData, and upon successfully decrypting the input data the plugin should also calculate the authentication tag and compare it to the given authenticationTag to see if it matches, and should write the comparison result to the verificationStatus out-parameter. Note that if the decryption succeeded but the authentication tag comparison failed, the result of the operation should still be Sailfish::Crypto::Result::Succeeded, but clients are required to explicitly check the value of the verificationStatus out-parameter to determine whether the input data had been tampered with by an attacker.
The key may be either a full key (that is, containing private or secret key data) which may be directly used to perform the decryption operation, or it may be a key reference (that is, containing only metadata, including an identifier) in which case (if it is a reference to a valid key stored by the plugin) the full key it identifies should be retrieved from storage and used to perform the operation.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::encrypt(const QByteArray &data, const QByteArray &iv, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::BlockMode blockMode, Sailfish::Crypto::CryptoManager::EncryptionPadding padding, const QByteArray &authenticationData, const QVariantMap &customParameters, QByteArray *encrypted, QByteArray *authenticationTag)
Encrypt the input data given an initialization vector iv using the specified key and (if applicable) blockMode and padding, and write the encrypted data to the out-parameter encrypted.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
If the specified blockMode is an authenticated mode (such as GCM) then the client should also have provided authenticationData, and upon successfully encrypting the input data the plugin should also write the generated authentication tag to the out-parameter authenticationTag.
The key may be either a full key (that is, containing private or secret key data) which may be directly used to perform the encryption operation, or it may be a key reference (that is, containing only metadata, including an identifier) in which case (if it is a reference to a valid key stored by the plugin) the full key it identifies should be retrieved from storage and used to perform the operation.
[pure virtual] Sailfish::Crypto::CryptoPlugin::EncryptionType CryptoPlugin::encryptionType() const
Returns the type of encryption capability offered by the plugin
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::finalizeCipherSession(quint64 clientId, const QByteArray &data, const QVariantMap &customParameters, quint32 cipherSessionToken, QByteArray *generatedData, Sailfish::Crypto::CryptoManager::VerificationStatus *verificationStatus)
Finalizes the cipher session identified by the specified cipherSessionToken for the client identified by the given clientId, with the specified finalization data, and writes any generated data (e.g. ciphertext, plaintext or signature data) to the out-parameter generatedData, and the result of any verification to the out-parameter verificationStatus.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
In some cases, the input data can be ignored as it is not valid for the finalization operation.
If the cipher session operation is decryption with a symmetric algorithm and the block mode is GCM, or if the cipher session operation is verification of a signature, then the result of the verification should be written to the verificationStatus out-parameter, otherwise that out-parameter can be ignored.
Note that if the cipher session operation is decryption with a symmetric algorithm and the block mode is GCM and the decryption succeeded but the verification failed, the plugin should still return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Succeeded (as it was successfully able to decrypt the input data, and determine that the input data had been tampered with). In that case, the client must check the value of the verificationStatus out-parameter to ascertain whether or not the decrypted data can be trusted.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::generateAndStoreKey(const Sailfish::Crypto::Key &keyTemplate, const Sailfish::Crypto::KeyPairGenerationParameters &kpgParams, const Sailfish::Crypto::KeyDerivationParameters &skdfParams, const QVariantMap &customParameters, Sailfish::Crypto::Key *keyMetadata)
Generates a key based on the given keyTemplate as well as either the given key-pair generation parameters kpgParams or the given symmetric key derivation function parameters skdfParams and stores the generated key into key storage managed by the plugin, and writing a reference to that key to the out-parameter keyMetadata.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
If the given key pair generation parameters kpgParams are valid, then those parameters specify the security size of the key (i.e. modulus length), and the algorithm (according to the key pair type). The algorithm specified in the keyTemplate should be consistent with the algorithm associated with the key pair type specified in the key pair generation parameters, otherwise the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginKeyGenerationError.
Otherwise, if the key derivation parameters skdfParams are valid, then those parameters specify the security size of the key (i.e. the output key size), while the keyTemplate specifies the algorithm for the output key.
If neither the key pair generation parameters nor key derivation parameters are valid, then the plugin should generate a key appropriate for use with the algorithm specified in the keyTemplate, whose security size is that specified in the keyTemplate.
The out-parameter keyMetadata should include only key metadata as well as public key data, but not private or secret key data. It should include the filter data which was specified in the keyTemplate, and it should have its algorithm and size set appropriately. Its identifier should be set to that of the keyTemplate.
The key template will contain an identifier which specifies the name of the collection into which the generated key should be stored, and also the name of the key in that collection.
If the collection name specified in the identifier of the keyTemplate does not specify a valid collection managed by the plugin, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::InvalidKeyIdentifier and the storage error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If the secret name specified in the identifier of the keyTemplate duplicates an existing key or secret in the same collection identified by the collection name specified in the identifier of the keyTemplate, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::InvalidKeyIdentifier and the storage error code set to Sailfish::Secrets::Result::SecretAlreadyExistsError.
If the plugin does not support storing new keys, it should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::OperationNotSupportedError.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::StorageError and the storage error code set to Sailfish::Secrets::Result::DatabaseError.
Otherwise, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Succeeded.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::generateInitializationVector(Sailfish::Crypto::CryptoManager::Algorithm algorithm, Sailfish::Crypto::CryptoManager::BlockMode blockMode, int keySize, const QVariantMap &customParameters, QByteArray *generatedIV)
Write an appropriate (randomly generated) initialization vector for use with encryption and decryption operations based on the specified algorithm, blockMode and keySize into generatedIV.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::generateKey(const Sailfish::Crypto::Key &keyTemplate, const Sailfish::Crypto::KeyPairGenerationParameters &kpgParams, const Sailfish::Crypto::KeyDerivationParameters &skdfParams, const QVariantMap &customParameters, Sailfish::Crypto::Key *key)
Generates a key based on the given keyTemplate as well as either the given key-pair generation parameters kpgParams or the given symmetric key derivation function parameters skdfParams and writes it to the out-parameter key.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
If the given key pair generation parameters kpgParams are valid, then those parameters specify the security size of the key (i.e. modulus length), and the algorithm (according to the key pair type). The algorithm specified in the keyTemplate should be consistent with the algorithm associated with the key pair type specified in the key pair generation parameters, otherwise the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginKeyGenerationError.
Otherwise, if the key derivation parameters skdfParams are valid, then those parameters specify the security size of the key (i.e. the output key size), while the keyTemplate specifies the algorithm for the output key.
If neither the key pair generation parameters nor key derivation parameters are valid, then the plugin should generate a key appropriate for use with the algorithm specified in the keyTemplate, whose security size is that specified in the keyTemplate.
The out-parameter key should include all key data, including private and secret key data, as well as the filter data which was specified in the keyTemplate, and it should have its algorithm and size set appropriately.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::generateRandomData(quint64 callerIdent, const QString &csprngEngineName, quint64 numberBytes, const QVariantMap &customParameters, QByteArray *randomData)
Writes numberBytes of random data generated using the random number generator identified by the specified csprngEngineName into randomData for the caller identified by the given callerIdent.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::importAndStoreKey(const QByteArray &data, const Sailfish::Crypto::Key &keyTemplate, const QByteArray &passphrase, const QVariantMap &customParameters, Sailfish::Crypto::Key *keyMetadata)
Imports the serialized key data of the given data and generates a fully specified and usable key, which is stored to the key storage managed by the plugin, and a reference to that key is written to the out-parameter keyMetadata. The identification of the newly imported key is defined in keyTemplate.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
The serialized key data may require a passphrase to import, in which case the plugin should attempt to use the specified passphrase. If that passphrase fails to decrypt the key content, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIncorrectPassphrase.
The out-parameter keyMetadata should include only key metadata (such as its algorithm, size, and its full identifier) as well as public key data, but not private or secret key data.
If the collection name specified in the identifier of the keyTemplate does not specify a valid collection managed by the plugin, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::InvalidKeyIdentifier and the storage error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If the secret name specified in the identifier of the keyTemplate duplicates an existing key or secret in the same collection identified by the collection name specified in the identifier of the keyTemplate, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::InvalidKeyIdentifier and the storage error code set to Sailfish::Secrets::Result::SecretAlreadyExistsError.
If the plugin does not support storing new keys, it should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::OperationNotSupportedError.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::StorageError and the storage error code set to Sailfish::Secrets::Result::DatabaseError.
Otherwise, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Succeeded.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::importKey(const QByteArray &data, const QByteArray &passphrase, const QVariantMap &customParameters, Sailfish::Crypto::Key *importedKey)
Imports the serialized key data of the given data and generates a fully specified and usable key, which is written to the out-parameter importedKey. The interpretation of the serialized data is left to the plugin to be interpreted.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
The serialized key data may require a passphrase to import, in which case the plugin should attempt to use the specified passphrase. If that passphrase fails to decrypt the key content, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIncorrectPassphrase.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::initializeCipherSession(quint64 clientId, const QByteArray &iv, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::Operation operation, Sailfish::Crypto::CryptoManager::BlockMode blockMode, Sailfish::Crypto::CryptoManager::EncryptionPadding encryptionPadding, Sailfish::Crypto::CryptoManager::SignaturePadding signaturePadding, Sailfish::Crypto::CryptoManager::DigestFunction digestFunction, const QVariantMap &customParameters, quint32 *cipherSessionToken)
Initialize a new cipher session for the client identified by the given clientId, with the initialization vector iv and key key, to perform the specified operation, using the given blockMode, encryptionPadding and signaturePadding (if applicable), and digest function digestFunction, and write a token to track the cipher session to the out-parameter cipherSessionToken.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
The key may be either a full key (that is, containing private or secret key data) which may be directly used to perform the cipher operation, or it may be a key reference (that is, containing only metadata, including an identifier) in which case (if it is a reference to a valid key stored by the plugin) the full key it identifies should be retrieved from storage and used to perform the operation.
Depending on the type of operation the client wishes to perform, some of the input parameters may not be applicable (e.g. the iv might be applicable only for encrypt and decrypt operations, and then only if the key is a symmetric key and the blockMode requires an initialization vector to be provided; similarly the signaturePadding parameter would only be applicable for sign and verify operations; etc).
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::seedRandomDataGenerator(quint64 callerIdent, const QString &csprngEngineName, const QByteArray &seedData, double entropyEstimate, const QVariantMap &customParameters)
Seed the random number generator identified by the given csprngEngineName with the given seedData assuming the specified entropyEstimate for the caller identified by the given callerIdent.
The entropy estimate should be between clamped 0.0 and 1.0.
This operation should be implemented in such a way that it will not affect clients other than the client identified by the callerIdent.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::sign(const QByteArray &data, const Sailfish::Crypto::Key &key, Sailfish::Crypto::CryptoManager::SignaturePadding padding, Sailfish::Crypto::CryptoManager::DigestFunction digestFunction, const QVariantMap &customParameters, QByteArray *signature)
Generates a signature for the input data using the specified padding according to the specified digestFunction with the given key and writes the result to the signature out-parameter.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
If the plugin does not support the specified digestFunction, it should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::DigestNotSupportedError.
If the plugin does not support the specified padding, it should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::SignaturePaddingNotSupportedError.
The key may be either a full key (that is, containing private or secret key data) which may be directly used to perform the data signing operation, or it may be a key reference (that is, containing only metadata, including an identifier) in which case (if it is a reference to a valid key stored by the plugin) the full key it identifies should be retrieved from storage and used to perform the operation.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::storedKey(const Sailfish::Crypto::Key::Identifier &identifier, Sailfish::Crypto::Key::Components keyComponents, const QVariantMap &customParameters, Sailfish::Crypto::Key *key)
Retrieve the key identified by the specified identifier limited to those components specified in keyComponents and write it to the out-parameter key.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
If the collection name specified in the identifier does not specify a valid collection managed by the plugin, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::InvalidKeyIdentifier and the storage error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If the secret name specified in the identifier does not identify an existing key or secret in the collection specified in the identifier, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::InvalidKeyIdentifier and the storage error code set to Sailfish::Secrets::Result::InvalidSecretError.
If the plugin does not support retrieving key data, it should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::OperationNotSupportedError.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::StorageError and the storage error code set to Sailfish::Secrets::Result::DatabaseError.
Otherwise, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Succeeded.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::storedKeyIdentifiers(const QString &collectionName, const QVariantMap &customParameters, QVector<Sailfish::Crypto::Key::Identifier> *identifiers)
Writes the identifiers of all keys stored by the plugin in the collection identified by the given collectionName into the out-parameter identifiers.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
If the given collectionName does not specify a valid collection managed by the plugin, or is empty, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::StorageError and the storage error code set to Sailfish::Secrets::Result::InvalidCollectionError.
If the operation failed due to storage backend failure, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Failed and the error code set to Sailfish::Crypto::Result::StorageError and the storage error code set to Sailfish::Secrets::Result::DatabaseError.
Otherwise, the plugin should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Succeeded.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::updateCipherSession(quint64 clientId, const QByteArray &data, const QVariantMap &customParameters, quint32 cipherSessionToken, QByteArray *generatedData)
Updates the cipher session identified by the specified cipherSessionToken for the client identified by the given clientId with the specified data, and writes any generated data (e.g. ciphertext, plaintext, or signature data) to the out-parameter generatedData.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
[pure virtual] Sailfish::Crypto::Result CryptoPlugin::updateCipherSessionAuthentication(quint64 clientId, const QByteArray &authenticationData, const QVariantMap &customParameters, quint32 cipherSessionToken)
Updates the cipher session identified by the specified cipherSessionToken for the client identified by the given clientId with the specified authenticationData.
If the plugin itself is locked, this function should return a Sailfish::Crypto::Result with the result code set to Sailfish::Crypto::Result::Failed and the error code set to Sailfish::Crypto::Result::CryptoPluginIsLockedError.
The customParameters will contain plugin-specific parameters which may be required by the plugin. Such parameters must be documented for clients in the documentation provided with the plugin, and otherwise should be ignored by plugin implementers.
This method should only be called by clients who are attempting to use an authenticated block mode (such as GCM) which require authentication data to be provided before any other input data.